Presentation is loading. Please wait.

Presentation is loading. Please wait.

IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin."— Presentation transcript:

1 IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin

2 Nov. 11 2003IETF58 PANA WG PANA Issues http://www.danforsberg.info:8080/pana-issues/ 15 issues for draf-ietf-pana-pana-01were resolved and closed Resolution text incorporated in pana-02 There are 9 open issues for pana-02

3 Nov. 11 2003IETF58 PANA WG PANA-01 Issues (Closed)

4 Nov. 11 2003IETF58 PANA WG Message Format Related Issues The same message type is allocated to each pair of Request and Answer message (Issue 22) –use R-flag to distinguish Request from Answer PANA uses its own type space for message and AVP types (Issue 23) –No type space sharing with Diameter A new message “PANA-Error” is defined (Issue 17) –Section 4.1.8 defines the error handling rule –Section 9.3.13 defines the message format AVP alignment rule is added (Issue 24) –The same 32-bit alignment rule as Diameter Termination-Cause AVP values are defined (Issue 18) Result-Code AVP values are defined (Issue 19)

5 Nov. 11 2003IETF58 PANA WG Other Issues Defined detailed retransmission behavior and default parameters (Issue 20, explained later) Service Profile Names (Issue 25, explained later) Clarified that Session-Lifetime is non-negotiable and can be carried in PANA-Bind-Request message sent from PAA (Issue 8) Clarified that PAA SHOULD initiate EAP re- authentication before the session lifetime expires (Issue 31) Security Consideration section is updated (Issue 32) –Re-wording “periodical refresh” to “liveness test”, etc. Clarification of Section 4.9 “Device-ID Choice” (Issue 33) –PaC and PAA checks peer’s Device ID each other Minor editorial changes (Issues 21, 26, 30)

6 Nov. 11 2003IETF58 PANA WG Issue 20: Retransmission Timers and Counters Issue: Define default timer and retransmission counts Resolution: –Adopt the RFC3315 [DHCPv6] model Define algorithm and parameters for retransmission –Use of exponential backoff Classify messages retransmitted by PANA Each class uses the same default parameter values –PANA-PAA-Discover –Other messages Define default values for each class

7 Nov. 11 2003IETF58 PANA WG Issue 25: Service Profile Names Issue: Carrying network information during discovery and initial handshake phase would be helpful for a user to choose NAP and ISP Resolution: –Defined two new AVPs: NAP-Information AVP and ISP-Information AVP –Defined a new flag (S-flag) –Define the usage of the AVPs and S-flag

8 Nov. 11 2003IETF58 PANA WG Issue 25 (cont’d) {NAP,ISP}-Information AVP NAP-Information ::= 0*1 { Provider-Identifier } { Provider-Name } * [ AVP ] ISP-Information ::= 0*1 { Provider-Identifier } { Provider-Name } * [ AVP ] Provider-Identifier (Unsigned32): IANA-Assigned Enterprise Identifier Provider-Name (UTF8String)

9 Nov. 11 2003IETF58 PANA WG Issue 25 (cont’d) {NAP,ISP}-Information AVP Usage PAA can advertise *-Information AVPs in PANA-Start- Request message S-flag in PANA-Start-Request/Answer exchange is used for negotiating NAP/ISP separate authentication –F(inal)-flag is not needed any more During the negotiation, PaC can choose an ISP by including an ISP-Information AVP in the PANA-Start- Answer message PAA can specify which authentication (NAP or ISP) is occuring –by including a corresponding *-Information AVP in the first PANA-Auth-Request message in each authentication

10 Nov. 11 2003IETF58 PANA WG Issue 25 (cont’d) Example Sequence PANA-PAA-Discover PANA-Start-Request [ISP1, ISP2, NAP] // S-flag set PANA-Start-Answer [ISP1, NAP] // S-flag set PANA-Auth-Request[NAP, EAP{Req.}] PANA-Auth-Answer[EAP{Resp.}] PANA-Bind-Request/Answer PANA-Auth-Request[ISP1, EAP{Req.}] PANA-Auth-Answer[EAP{Resp.}] … PANA-Bind-Request/Answer … NAP Authentication ISP Authentication Discovery& Initial Handshake Execution order can be reversed

11 Nov. 11 2003IETF58 PANA WG PANA-02 Issues (Open)

12 Nov. 11 2003IETF58 PANA WG Open Issue List (ordered by importance) http://www.danforsberg.info:8080/pana-issues/ Issue #Issue Name 28PaC and PAA State Machines (to be presented by Dan) 34Behavior with NAP and ISP 37Unknown Realm Error Propagation 29EAP Failure & PANA-Bind-Request 36(Re)authentication Race Condition 35EP Information 16Mutihoming Support 12Supporting Network Access Authentication for Ad-hoc Networks 2Downgrading Protection

13 Nov. 11 2003IETF58 PANA WG Issue: How Session-Lifetime relates to NAP and ISP authentications? Proposed Resolution: –A single Session-Lifetime is bound to a PANA session –When NAP and ISP have different authorization lifetimes, the smaller one relates to the Session- Lifetime –When EAP re-authentication occurs, both NAP and ISP authentications will be performed Issue 34: Behavior with NAP and ISP

14 Nov. 11 2003IETF58 PANA WG Issue 37: Unknown Realm Error Propagation Issue: –Should “unknown realm” AAA message routing error be propagated to PaC? Discussion: –EAP state machine does not support propagation of AAA errors When such an error occurs, the authentication state machine enters a sink “failure” state without generating any error or an EAP-Failure message Direct interface from AAA to PAA would be needed Resolution?

15 Nov. 11 2003IETF58 PANA WG Issue 29: EAP Failure and PANA-Bind- Request Issue: –Should PANA-Termination-Request be used for carrying EAP-Failure instead of PANA-Bind-Request? Discussion: –When NAP/ISP separate authentication is performed, a single EAP failure does not mean PANA authentication failure Resolution –PANA-Term.-Request is not appropriate to carry EAP- Failure for the above reason –Use PANA-Bind-{Request,Answer} message to carry EAP- Success/Failure (as the current draft does) –“Bind” may be renamed to “Result” if the word “Bind” does not make sense to carry EAP-Failure

16 Nov. 11 2003IETF58 PANA WG Issue 36: (Re)authentication Race Condition Issue: –It is possible for both PaC and PAA to simultaneously initiate EAP (re)authentication. How can PANA handle the case? PaCPAA PANA-PAA-Discover PANA-Start-Request (or PANA-Auth-Request) Proposed Resolution: –PAA can always be the winner, by ignoring the received PANA-PAA-Discover message after it sends a PANA-Start- Request (or PANA-Auth-Request)

17 Nov. 11 2003IETF58 PANA WG Issue 35: EP Information Issue: –PANA-IPsec draft assumes that PaC learns the IP address of the EP during the PANA exchange. But PANA specification does not support it Proposed Resolution: –Having an AVP to carry the Device-Id of EP(s) –Device-Id AVP can have a field to indicate whether the device belongs to PAA or a separate EP –The AVP is carried in PANA-Bind-Request

18 Nov. 11 2003IETF58 PANA WG Issue 16: Multihoming Support Issue: –When PaC has multiple interfaces on the same IP link, should it be supported with a single PANA session or separate PANA sessions? Discussion –A single PANA session for multiple interfaces is basically an optimization issue Proposed resolution: –We should do a more thorough analysis if we support the scenario with a single PANA session –Until the analysis is made, separate PANA session is sufficient

19 Nov. 11 2003IETF58 PANA WG Issue 12: Supporting Network Access Authentication for Ad-hoc Networks Issue: –Should PANA support ad-hoc network scenario where there may be one or more untrusted nodes between PaC and PAA? Resolution? PaCPAA ISP Ad-hoc network Untrusted nodes

20 Nov. 11 2003IETF58 PANA WG Issue 2: Downgrading Protection Issue: –EAP allows negotiation of an EAP method between authenticator and peer. This mechanism is vulnerable to downgrading attacks. Discussion: –Providing downgrading protection in PANA is not good since an EAP server may not be co-located with PAA –EAP method negotiation is not performed by PANA, so this is an EAP issue Resolution: –Text incorporated in Security Considerations section Recommendation of using EAP-GSSAPI to negotiate an EAP method

Download ppt "IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin."

Similar presentations

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
PANA Requirements and Terminology - IETF54 -. PANA WG, IETF 54, Requirements and Terminology draft-ietf-pana-requirements-02.txt Changes Comments/questions.

PANA Requirements and Terminology - IETF54 -. PANA WG, IETF 54, Requirements and Terminology draft-ietf-pana-requirements-02.txt Changes Comments/questions.
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.

1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,
12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.

12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.
July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das

July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das
March 20, 2006IETF65 PANA WG PANA Specification Updates (draft-ietf-pana-pana-11.txt) Yoshihiro Ohba

March 20, 2006IETF65 PANA WG PANA Specification Updates (draft-ietf-pana-pana-11.txt) Yoshihiro Ohba
Dean Cheng Jouni Korhonen Mehamed Boucadair

Dean Cheng Jouni Korhonen Mehamed Boucadair
Issues to Consider w.r.t Protocol Solution - IETF54 -

Issues to Consider w.r.t Protocol Solution - IETF54 -
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
IETF54 Charter Issues Dealt with since IETF53 PANA WG Meeting Basavaraj Patil.

IETF54 Charter Issues Dealt with since IETF53 PANA WG Meeting Basavaraj Patil.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
KAIS T Security architecture in a multi-hop mesh network Conference in France, 2006 2006. 9. 26. Presented by JooBeom Yun.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
IETF-71, Philadelphia PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt Lionel Morand France Telecom Alper Yegin Samsung Yoshihiro Ohba Toshiba.

IETF-71, Philadelphia PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt Lionel Morand France Telecom Alper Yegin Samsung Yoshihiro Ohba Toshiba.

Similar presentations

Ads by Google